Guccifer 2 and the Podesta Emails

By Llama on May 28, 2017

I’ve posted below the first forty documents that Guccifer 2 leaked on his/her WordPress site between June 15 – June 21, 2016. What I’ve done is cross reference these leaks, which Guccifer 2 himself/herself said were from the DNC, with Wikileaks’ DNC email publication. My research shows that none of these Guccifer 2 DNC documents are in Wikileaks’ DNC documents. That’s not to say they didn’t show up at all in Wikileaks. They did. They showed up in Wikileaks’ Podesta emails, not the DNC emails. At least almost half of them did. The other half I was not able to locate at all in Wikileaks. Please feel free to cross reference this list yourself with Wikileaks (sometimes you have to be creative in your search or use the attachment or filename search) because I’m only human here, folks. Furthermore, I believe that debunking information only gets us closer to the truth.

Not found (My notes say that I had found this previously in the Podesta emails but who’s the idiot that didn’t save the Wikileaks’ link the first time? Yup, that would be me.) Thank you to OneOfTheGods and nakedname who left the link to this in the comments below.

Podesta Email Only 3.21.15 (Wikileaks attachment ) *Notice John Podesta’s name has been removed in the Guccifer 2 document

2015-2016 Contribution Limits (DCCC)

Not found. However, something similar is found in the Podesta emails. See 4.4.15 attachment “Hillary for America Contribution Limits.” Is it just me or does Guccifer 2’s document look like the header and date has been added?

Not found. Although HRC’s 2016 Financial Disclosure Form is in Wikileaks DNC emails. See attachment

HRC Defense – Emails

Not found

HRC Travel – Private Jets FINAL

Not found

I have compiled two lists from the documents above: G2 (alleged DNC) documents found in Wikileaks’ Podesta emails and the G2 (alleged DNC) documents I could not find in any Wikileaks’ publications. And to be clear, there is not one G2 document released on these three days (that’s as far as I researched) that I found in Wikileaks’ DNC email publication.

Only Found In Wikileaks’ Podesta Emails

12.19.15 Donald Trump Report

07.15.13 Second “Democratic Party list of donors” screenshot

05.26.15. Strategy on GOP 2016ers.doc

04.05.15HRC Election Plans

04.04.15Hillary for America Fundraising Guidelines from Agent Lette

02.05.16HRC Personal and Purpose Driven ROY

03-22.15Memo for Senior Staff (Podesta name is removed in G2 doc

01.03.15 Convention Memo -12-15

03.09.16HFA Paid Media Traffic 3 9 16

03.25.15. Memo for Fundraising Staff

03.02.15Presidential campaign 2016

03.30.15 Private Memorandum to Ashton Carter 3.17.15

09.17.15WJC HFA Requests 9.16.15

03.06.15Wyss Democracy Strategy 03 06 16

04.29.15 CGEP

20150426 MEMO—Clinton Cash Unravels

Not Found In Any Wikileaks Publications

First “Democratic Party list of donors” screenshot

Third “Democratic Party list of donors” screenshot

Promises and Proposals—National Security and Foreign Police

2.19.16 Friends of HRC List_HFA16 Giving History

4.16 Commitment Sheet_0404416

7.1.15 Commitment Sheet

First “donor data” screenshot

Second “donor data” screenshot

Third “donor data” screenshot

Financial Report

2016 Red to Blue Memo

2015 JHs Roster

2015-2016 Contribution Limit (although similar doc is in Podesta emails

confirmed attendees april 2016

Copy of DC Ind $1K Up

Staff1

2016er Attacks—HRC Defense Master Doc0

7.07.152016 Democrats Positions Cheat Sheet 7-7-15

Attacks on Clinton Family Members

Clinton Foundation Donors $25k+

Clinton Foundation Vulnerabilities Master Doc FINAL (G2 document has two corrections in it dated 3.30.15

Clintons PFD 2015

HRC Defense—Emails

HRC Travel—Private Jets FINAL

So what does this all mean? Well, that’s a great question and frankly, I’m not sure. You would think that if Guccifer 2 dumped legitimate DNC documents that they would be found in Wikileaks’ DNC emails and attachments but that doesn’t appear to be the case. So here’s some scenarios I’ve come up with:

G2 leaked DNC documents that Wikileaks never received from their DNC email source

G2 leaked DNC documents that Wikileaks received from their DNC email source but did not publish them

G2 leaked DNC documents that were found in both the DNC and Podesta emails but Wikileaks only received them from their Podesta email source

G2 never leaked any DNC documents

I have a bunch of other ones rattling around my brain, some crazier than the next. As for the above, if G2 leaked legit DNC documents why didn’t Wikileaks’ source give those to them? Were the documents that I couldn’t find in Wikileaks never sent through DNC or Podesta email? That seems a little absurd but I suppose anything’s possible.

And why wouldn’t Wikileaks publish these documents if they had them? That makes even less sense—and the argument that maybe Wikileaks wanted to distance themselves from G2 because they were working with the Russians doesn’t makes sense either because the absence of G2 documents would make it more obvious that they were trying to distance themselves. And don’t forget, just because I didn’t find them doesn’t mean some of them aren’t in Wikileaks (my guess is that more of the ones I couldn’t find are indeed in the Podesta emails). Or, if G2’s DNC documents were found in both DNC and Podesta emails (which wouldn’t be terribly weird) and Wikileaks’ source for the DNC and Podesta emails are one and the same why did Wikileaks’ source refrain from giving them certain DNC documents? Did Wikileaks refrain from publishing them in July, 2016 knowing full well that some of them (the ones they had) would come out later in the Podesta emails?

And when did Wikileaks’ source give them the DNC and Podesta emails? I have to assume it was before Guccifer 2 started publishing because of Assange’s interviews in June, 2016 which seemed to have set off this entire bowl of baffling G2 tomfoolery. Ugh, moving on…

Lastly, what if G2 never hacked the DNC in the first place? It’s really not hard to believe after looking over Adam Carter’s research at g-2/space . He’s done an astounding job at debunking G2 as a Russian hacker. In fact, metadata shows G2 may be DNC insider, Warren Flood. However, it still doesn’t explain why G2 leaked documents that were either not found in Wikileaks’ publications or only found in the Podesta emails.

Am I thinking too much about this? Is there a simpler explanation for this that I’m not seeing?

Leave a comment, your theories, or corrections below or you can tweet/DM me at @jimmysllama. Thanks!

Nice work, Llama. It really does look like Guccifer 2.0 and the person who supplied WikiLeaks with material were two different parties, which is not what the DNC wants us to believe.

Possibly related to this question is the fact that Charles Delavan’s story about insisting Podesta must change his password is most likely untrue, for the reasons outlined in Slate. As an IT manager, I have written many of these emails myself, and it makes no sense for Delavan to have stated not once, but twice, that his password needed to be changed immediately IF he knew the phishing email was a fake. A typo I could understand, but not a whole email.

Now, this story about Podesta getting phished specifically seemed to have appeared no earlier than an October 20, 2016 article in Motherboard (“How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts”), which was 13 days after Wikileaks announced they would be posting ‘The Podesta Emails’. So I believe the DNC folks had some reason for making up the typo story once they learned Podesta’s emails were about to be released. Here are some ideas:

They may have realized the WikiLeaks’ Podesta Emails release could have revealed through analysis that they were not acquired by Guccifer2, and they needed to show there was another hacker on the loose.
Or, given the doubts some people had about Guccifer2’s origins, they may have wanted to show there was another “hacker”, and one that could be more easily tied to Russian intelligence services.
Or, it may have been that Podesta didn’t want to seem like an idiot for clicking the link and simply asked his IT guy to take the blame instead. I think this is unlikely because Podesta comes off looking bad regardless.

Why else would the DNC want to suggest this was not the work of their Guccifer2 creation?

There is little doubt Podesta did receive a phishing email. The question is whether he actually clicked the link, AND entered his credentials, AND whether the spearphishers recognized the importance of this man’s account (out of the thousands they had targeted), AND copied all his email, AND provided it to WikiLeaks. Since established organizations receive many such phishing attempts on a daily basis, it’s not surprising they were able to find examples that could be used as “evidence”.

If Mr. Podesta was not, in fact, spearphished successfully, we have to wonder whether an insider would have been able to access those emails. Did he rely entirely on Google’s cloud to store his emails, or was there a local copy on his computer as well? And if so, how many people had permission to copy it?

Lastly, it is interesting to read SecureWorks’ analysis of the phishing attacks that was posted on June 16, 2016, right after all this Russian hacking news first broke. They are very specific about who was targeted in the organization, but there is no mention of Podesta at this point.

Hi Kernel. I’m someone with zero technical knowledge who is, nonetheless, very interested in this story. I’ve studied Adam Carter’s web page a lot and researched some of the concepts involved like VPN’s, but I still don’t know much so sorry if I’m missing obvious stuff.

First, I couldn’t make sense of why Charles Delavan was saying to change the password if he thought the email was illegitimate, so I was very happy to hear someone knowledgeable confirm my take.

But Charles Delavan’s email telling Podesta to change his password seems to be in the Wikileaks Podesta releases. https://wikileaks.org/podesta-emails/emailid/34899
So doesn’t that mean that Delavan’s story about sending the email has to be true? If so, I think the only explanation is that CD messed up and thought it was a real email and the typo story is a lie so he doesn’t look so bad.

Second, thanks for providing the Motherboard article reference as I was wondering when the first public mention of the Podesta phishing attack was. I went to it before finishing your post and went to the SecureWorks link from there. And I couldn’t find any mention of Podesta so when i returned to your post I was happy to see that I wasn’t making a mistake. But do you have any ideas where Motherboard got the Podesta information? I’ve read the MB article several times and they definitely seem to be leaving the impression that the information came from the SecureWorks post but, as you say, that seems to be false.

Hi Audrey, sorry I didn’t see your response until now. I am reaching the same conclusion you did, that regardless of the truth of Delavan’s explanation, it seems very likely that Podesta received a phishing email, and it didn’t matter what Delavan had advised the DNC staff since either way the phish provided enough reason to explain how Podesta was hacked.

I suppose you’re right that he just wanted to avoid looking like he had been fooled by the fake email. (Another reason he could have given, but didn’t, would be that he was desperate for Podesta to turn on 2-factor authentication, and was only using the phish as motivation to get him to enable it.) However, it could also be possible that someone saw this as a clever ploy to create a narrative that would be attractive to the MSM.

Still, I have my doubts that Podesta actually clicked the link and entered his credentials into the fake form. Here is what SC Media wrote in their October 21, 2016 article (“Russia behind Podesta hack, report”):

“Update: In a followup call with SecureWorks, a spokesperson clarified that the company doesn’t have any insight into whether Podesta actually clicked through on the phish.”

It’s curious also that SecureWorks does not mention Podesta in their June 16, 2016 report when there was such a clear email trail of it happening in March.

With respect to the Motherboard article, as you say, they do not reveal the source, writing only about “a source close to the investigation”. Here’s the definitive quote:

“That’s the link that opened Podesta’s account to the hackers, a source close to the investigation into the hack confirmed to Motherboard.”

It’s worth noting here that SecureWorks is owned by Dell, which is hardly an independent organization. It works closely with US intelligence agencies and was the company Snowden was working at when he downloaded the NSA trove.

Their description of the connection of the alleged phishing campaign of 2015 with the more recent publicized campaign in 2016 is curiously lacking in specificity. They never actually say that the 2016 phishers used the same Bitly account as the 2015 phishers. It’s just implied, and there is a weird use of the term “activity” in their 6/26/16 report, that sounds like they were trying to avoid a more specific term:

“In June 2016, CTU researchers published analysis of a TG-4127 campaign that targeted email accounts linked to Hillary Clinton’s 2016 presidential campaign and the U.S. Democrat National Committee. The activity used the same technique as a 2015 spearphishing campaign that targeted more than 1,800 Google Accounts.”

They then go on to provide in-depth analysis of the 2015 attack that was primarily focused on Russian and Ukrainian targets, later following up with the statement “the 2015 campaign did not focus on individuals associated with U.S. politics” in the 6/16/16 report (“Threat Group-4127 Targets Hillary Clinton Presidential Campaign”). They could be two completely different phishing campaign instigators for all we know. It would really help if Secure Works were to release their list of all the targeted email accounts.

It’s also notable that they only “assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.” That phrase is then carefully defined:

Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.

a number of June 18, 2016 documents are in cf.7z dossier: 10k-do-not-email-list.xlsx
copy-of-dc-ind-1k-up.xlsx 2015-jhs-roster.xlsx, 10k-2013-2-18-16-email-suprression-list.xlsx
2016-red-to-blue-memo.pdf 2016-email-blast-list-3-17-16.xlsx